0

Context

I'm playing Bandit on OverTheWire, and level thirteen requires unzipping various compressed file formats without knowing the file extension. To do this, I have been comparing the hexdump with file signatures from Gary Kessler's website.

What I've noticed however is that the hex signature appears backwards. For example, take this gz, tgz gzip archive file:

0000000 8b1f 0808 5006 5eb4 0302 6164 6174 2e32
0000010 6962 006e 3d01 c202 42fd 685a 3139 5941
0000020 5326 8e59 1c4f 00c8 1e00 ff7f f9fb da7f
...

With the signature 8b1f 0808 is backwards, as compared to what Gary Kessler's website indicates:

1F 8B 08        .‹. GZ, TGZ         GZIP archive file
                        VLT         VLC Player Skin file

Question

Why is the signature backwards? 1F 8B 08 vs 8b1f 0808. The first file encountered is a hexdump of an archive file, data.txt, and has a proper signature of 1f8b 0808 (found using head data.txt), which aligns perfectly with the signature. However, when I run xxd -r data.txt | hexdump I once again 8b1f 0808.

I am aware of Big endian vs Little endian encoding, but I don't think that is what is causing this. It seems reversed like big / little endian but in the wrong way.

William Torkington
  • 347
  • 5
  • 16
  • 3
    They seem to be just pairwise "backwards", so it looks to me like a [little endian vs. big endian](https://www.tutorialspoint.com/big-endian-and-little-endian) effect. Nothing to worry about. – user1934428 Jun 24 '22 at 05:26
  • 2
    Try `xxd -g1`, so it prints byte-by-byte. – Gordon Davisson Jun 24 '22 at 05:34
  • @user1934428 Could you please elaborate? If it's big endian I don't know why it would appear like this. For example, `0001 11111` would be `1f` in big endian form, but `8f` in little endian. Is it being written as `1111 1000`? – William Torkington Jun 24 '22 at 05:37
  • 1
    0001 in the reversed endianness would be 0100 of course, not 1000. You have to reverse the bytes, not the nybbles. Of course this assumes that we have 16-bit-words. With 32-bits, you have to consider 4-byte-groups. The example posted looks like 16-bit. Aside from this, such a question should be posted at i.e. [su], because it is not related to programming. – user1934428 Jun 24 '22 at 05:40
  • @GordonDavisson Oh thank you! I checkedout what the man page had to say about the -g flag, but I know that what I don't understand what 'grouping' is. If there's anything else you could share about it I would be very appreciative. – William Torkington Jun 24 '22 at 05:42
  • 1
    What CPU type and OS/distro are you running this under? I suspect this is due to the endianness of your architecture, but I'm not sure of the details. Try `printf '\001\002\003\004\005\006\007\010' | xxd -g4` and `... -g8` to see how it orders the bytes in 4- and 8-byte groupings. – Gordon Davisson Jun 24 '22 at 17:20

0 Answers0